Should you get certified? Vello Security’s 2020 Guide to Certifications
I get asked a lot of questions about certifications, so this post and the video here serves as some of the guidance that give out for the newer people trying get a job or move up to a more senior position. There will be some great information for people with many certs too in the blog post that goes along with this, so make sure to take a look.
We are going to be covering the following questions:
Should I get certified?
How do you pick the right certification?
How do you maintain your certifications?
Should I get Certified?
There are many factors to consider if you want to get certified, and everyone’s situation is different. Many people have conflicting opinions on whether obtaining a bunch of certification really helps or not. When making this decision, it’s important to take your current situation into account, and not just blindly follow what your friend or people on the internet tell you. Step back and analyze what is going to be the best for your in your current situation.
Some questions think about are:
Is this going to help you get a job?
Do you have to pay out of pocket or is your employer going to pay?
How soon do you need to get the cert?
Do you have the time to dedicate to studying?
Is this something that you want to do?
How do you pick the right certification?
One of the toughest questions you may have is “how do I pick the right cert?” This is a really important topic, especially for people who have to pay for a course and/or exam out of pocket. Getting the most bang for your buck is essential.
Let’s start with some certifications that can be applicable in a lot of situations. In this section we will mostly cover entry-level to intermediate stuff.
The CompTIA Network+ and Security+ certifications and material offer a great introduction for people with little to no experience. These are vendor-neutral certifications, so they can apply to a lot of job roles. They have been around for quite some time, but the vendor does a pretty good job of keeping up with current topics, technologies, and security practices. There are many vendor-specific certifications that could be beneficial, depending on what you are trying to do. One well-known example is the Cisco Certified Network Associate, or CCNA, which covers routing and switching and some other general topics. Something like this may limit your options when job hunting, but they can also be very beneficial, as a lot of companies are looking to hire people who can operate and maintain the expensive hardware that they have already purchased.
Offensive Security Certifications
There are many flavors of hacking, so make sure to get find a certification that fits with what you will be doing. You may need something specific to web applications, network based attacks, wifi attacks, social engineering, or a combination of all of these.
One certification that most aspiring hackers have heard off is the Offensive Security Certified Professional, or OSCP. I can’t recommend this one enough! Out of all of the certification courses and exams that I’ve taken, this OSCP one had to be one of the most challenging and rewarding. The entire course and exam are practical, so you really have to know your stuff. Even if you aren’t planning to be a hacker, having and offensive mindset can be a great benefit when trying to defend a network or manage and IT team.
Penetration Testing With Kali Linux/OSCP: https://www.kali.org/penetration-testing-with-kali-linux/
Already planning to get the OSCP? Check out our updated guide here.
Another great course offered by the Offensive Security team is the Offensive Security Certified Expert, or OSCE. This was very challenging as well, but mostly focused on exploit research and development with a bit of advanced penetration testing tied in.
Cracking the Perimeter: https://www.offensive-security.com/ctp-osce/
SANS is another vendor that offers a plethora of offensive security certifications. The courses and exams are quite expensive, so they may be out of reach for many, but if you have the opportunity, it will be hard to find in-person training that is of better quality.
SANS Course Roadmap: https://www.sans.org/cyber-security-skills-roadmap/
There numerous other certifications out there that you can pick.
Take a look at this certification chart driven by the security community:
I know that we are talking certifications here, but as far as training goes, there are tons of excellent training resources out there that may benefit you. I’ve heard excellent reviews for the training that companies like TrustedSec and SpectreOps provide.
TrustedSec Training: https://www.trustedsec.com/services/online-security-training-courses/
SpectreOps Training: https://specterops.io/how-we-help/training-offerings
If you aren’t sure if you want to go for offensive or defensive security, you may want to check out the GIAC Certified Incident Handler certification. The associated SANS course covers numerous offensive security and incident response topics and is very well rounded.
Defensive Security Related Certifications
On to the more defensive security certs, SANS has many to choose from. When deciding on what to choose here, there are many factors to take into account, one of which being what you specifically want to do. Do you want to do forensics? Check out the the list of digital forensics, or DFIR courses that SANS offers. They also offer topics such as reverse engineering and malware analysis, incident response, threat hunting, and even industrial control systems. I know I’ve mentioned SANS a lot, mainly because I can vouch for the quality of their courses and instructors.
Let’s touch on some management related certifications. Some of the big ones here will be the Certified Information Systems Security Professional, or CISSP and ITILv4for IT service management. These are both widely recognized certs that offer higher level tiers once you obtain the required experience and pass the exams.
Check out some of the available certifications in the resources below:
Maintaining your certs
A big thing to keep in mind when you get one or many certs is that they usually have annual upkeep costs and continuing education requirements. Make sure to research the pricing models for the certifications that you get. For some, you only pay one fee for the highest level certification that you have from that vendor, but for others you may be required to pay for each one separately. With a bunch of certs from various vendors, this can add up quickly.
For continuing education, there are countless free resources out there that can be used to maintain your certifications. You have to think outside of the box for some of these. For example, security webinars and conferences may count. Check out the free CPE resource list from Varonis to get you started: https://www.varonis.com/guides/the-big-list-of-free-cpe-resources/.